im using Laravel 12 with sanctum and try to get a login via Angular Frontend.
Until now, im able to register and also get a positive response for the csrf token.
For the login, I got an 500er error with the “message”: “Session store not set on request.”
I tried with the previous hints for this error message, but didnt helped. Does anybody have some hints for me?
my request inside of angular looks like this:
login(data: { email: string; password: string }): Observable<User> {
const headers = new HttpHeaders({
'Accept': 'application/json',
'Content-Type': 'application/json'
});
return this.http.get("http://localhost:8000/sanctum/csrf-cookie", { headers: headers, withCredentials: true }).pipe(
switchMap(() =>
this.http.post<User>(`${this.baseUrl}/login`, data, {
headers: headers,
withCredentials: true,
})
)
);}
This is my laravel api.php router
Route::post('/login', function (Request $request) {
$credentials = $request->only('email', 'password');
if (Auth::attempt($credentials)) {
$request->session()->regenerate();
return response()->json([
'message' => 'Login erfolgreich',
'user' => Auth::user() // Aktuell eingeloggter User
]);
}
return response()->json(['message' => 'Unauthorized'], 401);
});
This is my middleware inside of app.php
->withMiddleware(function () {
return [
// 1. Laravel interner Support für Precognitive-Requests
IlluminateFoundationHttpMiddlewareHandlePrecognitiveRequests::class,
// 2. Session starten (wichtig für Sanctum + Login)
IlluminateSessionMiddlewareStartSession::class,
// 3. Sanctum Middleware, die API-Requests als "stateful" behandelt
LaravelSanctumHttpMiddlewareEnsureFrontendRequestsAreStateful::class,
// 5. Eigene globale Middleware (z. B. zusätzliche CORS Header)
function (IlluminateHttpRequest $request, Closure $next) {
$response = $next($request);
$response->headers->set('Access-Control-Allow-Origin', 'http://spa.localhost:4200');
$response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
$response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
$response->headers->set('Access-Control-Allow-Credentials', 'true');
return $response;
},
];
})
My cors.php
<?php
return [
// Erlaube nur relevante Pfade
'paths' => ['api/*', 'sanctum/csrf-cookie'],
// Erlaube alle HTTP-Methoden (GET, POST, etc.)
'allowed_methods' => ['*'],
// Erlaube nur deine Angular-App
'allowed_origins' => ['http://spa.localhost:4200'],
// Kein Pattern nötig, da Origin explizit erlaubt
'allowed_origins_patterns' => [],
// Alle Header erlauben (z. B. Content-Type, X-XSRF-TOKEN, etc.)
'allowed_headers' => ['*'],
// Keine speziellen Header müssen offengelegt werden
'exposed_headers' => [],
// Preflight-Caching (kann bei Bedarf höher gesetzt werden)
'max_age' => 0,
// Damit Cookies (Sessions) mitgeschickt werden dürfen
'supports_credentials' => true,
];
And my env:
SANCTUM_STATEFUL_DOMAINS=spa.localhost:4200
SESSION_DRIVER=cookie
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_DOMAIN=.localhost